Opened 2 years ago

Last modified 19 months ago

#2431 closed defect

HTTP3: Clang reports heap-use-after-free in ngx_http_v3_insert src/http/v3/ngx_http_v3_table.c:231 — at Initial Version

Reported by: bullerdu@… Owned by:
Priority: minor Milestone:
Component: documentation Version: 1.23.x
Keywords: http3 Cc:
uname -a: Linux 4.19.91-008.ali4000.alios7.x86_64 #1 SMP Fri Sep 4 17:33:26 CST 2020 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.23.3
built by gcc 9.3.0 (GCC)
built with OpenSSL 1.1.0 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled
configure arguments: --with-debug --with-http_v3_module --prefix=/home/yefei.dyf/nginx --with-cc-opt=-I/home/yefei.dyf/boringssl/include --with-ld-opt='-L/home/yefei.dyf/boringssl/ssl -L/home/yefei.dyf/boringssl/crypto' --with-google_perftools_module

Description

==4234==ERROR: AddressSanitizer: heap-use-after-free on address 0x61e00004a4a0 at pc 0x0000004e9d7f bp 0x7ffedf26fdd0 sp 0x7ffedf26f580
READ of size 6 at 0x61e00004a4a0 thread T0

#0 0x4e9d7e in interceptor_memcpy.part.41 (/home/admin/tengine/bin/t-coresystem-tengine-cdn-debug+0x4e9d7e)
#1 0x82b1af in ngx_http_v3_insert src/http/v3/ngx_http_v3_table.c:231
#2 0x82cd6f in ngx_http_v3_duplicate src/http/v3/ngx_http_v3_table.c:421
#3 0x829a78 in ngx_http_v3_parse_encoder src/http/v3/ngx_http_v3_parse.c:1519
#4 0x829a78 in ngx_http_v3_parse_uni src/http/v3/ngx_http_v3_parse.c:2001
#5 0x82e506 in ngx_http_v3_uni_read_handler src/http/v3/ngx_http_v3_uni.c:225
#6 0x5ed9ae in ngx_event_handler_elapsed src/event/ngx_event.c:1755
#7 0x5ee5b8 in ngx_event_process_posted src/event/ngx_event_posted.c:35
#8 0x5ed302 in ngx_process_events_and_timers src/event/ngx_event.c:422
#9 0x60e8d2 in ngx_worker_process_cycle src/os/unix/ngx_process_cycle.c:841
#10 0x605a8f in ngx_spawn_process src/os/unix/ngx_process.c:200
#11 0x60fbbf in ngx_reap_children src/os/unix/ngx_process_cycle.c:645
#12 0x60fbbf in ngx_master_process_cycle src/os/unix/ngx_process_cycle.c:195
#13 0x5864fc in main src/core/nginx.c:448
#14 0x7fe4638fd444 in
libc_start_main (/lib64/libc.so.6+0x22444)
#15 0x4ac228 (/home/admin/tengine/bin/t-coresystem-tengine-cdn-debug+0x4ac228)

freed by thread T0 here:

#0 0x54e7e0 in free (/home/admin/tengine/bin/t-coresystem-tengine-cdn-debug+0x54e7e0)
#1 0x82aded in ngx_http_v3_evict src/http/v3/ngx_http_v3_table.c:381
#2 0x82afec in ngx_http_v3_insert src/http/v3/ngx_http_v3_table.c:210
#3 0x82cd6f in ngx_http_v3_duplicate src/http/v3/ngx_http_v3_table.c:421
#4 0x829a78 in ngx_http_v3_parse_encoder src/http/v3/ngx_http_v3_parse.c:1519
#5 0x829a78 in ngx_http_v3_parse_uni src/http/v3/ngx_http_v3_parse.c:2001
#6 0x82e506 in ngx_http_v3_uni_read_handler src/http/v3/ngx_http_v3_uni.c:225
#7 0x5ed9ae in ngx_event_handler_elapsed src/event/ngx_event.c:1755
#8 0x5ee5b8 in ngx_event_process_posted src/event/ngx_event_posted.c:35
#9 0x5ed302 in ngx_process_events_and_timers src/event/ngx_event.c:422
#10 0x60e8d2 in ngx_worker_process_cycle src/os/unix/ngx_process_cycle.c:841
#11 0x605a8f in ngx_spawn_process src/os/unix/ngx_process.c:200
#12 0x60fbbf in ngx_reap_children src/os/unix/ngx_process_cycle.c:645
#13 0x60fbbf in ngx_master_process_cycle src/os/unix/ngx_process_cycle.c:195
#14 0x5864fc in main src/core/nginx.c:448
#15 0x7fe4638fd444 in libc_start_main (/lib64/libc.so.6+0x22444)

previously allocated by thread T0 here:

#0 0x54eaf8 in malloc (/home/admin/tengine/bin/t-coresystem-tengine-cdn-debug+0x54eaf8)
#1 0x5fc3a3 in ngx_alloc src/os/unix/ngx_alloc.c:22
#2 0x82b12d in ngx_http_v3_insert src/http/v3/ngx_http_v3_table.c:221
#3 0x82c91a in ngx_http_v3_ref_insert src/http/v3/ngx_http_v3_table.c:195
#4 0x829f52 in ngx_http_v3_parse_field_inr src/http/v3/ngx_http_v3_parse.c:1624
#5 0x829f52 in ngx_http_v3_parse_encoder src/http/v3/ngx_http_v3_parse.c:1479
#6 0x829f52 in ngx_http_v3_parse_uni src/http/v3/ngx_http_v3_parse.c:2001
#7 0x82e506 in ngx_http_v3_uni_read_handler src/http/v3/ngx_http_v3_uni.c:225
#8 0x5ed9ae in ngx_event_handler_elapsed src/event/ngx_event.c:1755
#9 0x5ee5b8 in ngx_event_process_posted src/event/ngx_event_posted.c:35
#10 0x5ed302 in ngx_process_events_and_timers src/event/ngx_event.c:422
#11 0x60e8d2 in ngx_worker_process_cycle src/os/unix/ngx_process_cycle.c:841
#12 0x605a8f in ngx_spawn_process src/os/unix/ngx_process.c:200
#13 0x60fbbf in ngx_reap_children src/os/unix/ngx_process_cycle.c:645
#14 0x60fbbf in ngx_master_process_cycle src/os/unix/ngx_process_cycle.c:195
#15 0x5864fc in main src/core/nginx.c:448
#16 0x7fe4638fd444 in libc_start_main (/lib64/libc.so.6+0x22444)

SUMMARY: AddressSanitizer: heap-use-after-free (/home/admin/tengine/bin/t-coresystem-tengine-cdn-debug+0x4e9d7e) in interceptor_memcpy.part.41
Shadow bytes around the buggy address:

0x0c3c80001440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3c80001450: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c3c80001460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c80001470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c80001480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

=>0x0c3c80001490: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd

0x0c3c800014a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3c800014b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3c800014c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3c800014d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3c800014e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

Shadow byte legend (one shadow byte represents 8 application bytes):

Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb

==4234==ABORTING

Change History (0)

Note: See TracTickets for help on using tickets.